Google posts Windows 8.1 issue picked up by Project Zero before Microsoft can fix it

Google posts Windows 8.1 issue picked up by Project Zero before Microsoft can fix it

Google Project Zero has found a flaw in Microsoft Windows 8.1 and published it before Microsoft could fix the issue. Google’s Project Zero tracks vulnerabilities in software systems and reports them to vendors in real time setting.

A flaw was found in Microsoft Windows 8.1 operating system by a researcher that discovered that “Windows 8.1 security hole that allows lower-level users to become administrators, giving them access to sensitive server functions they’d normally have no right to” according to Engadget. Instead of waiting on Microsoft to fix the issue, Google Project Zero went ahead on publish the flaw few days ago. Project Zero gives vendors a time period of 90 days to fix any issue found, if the vendor fail to fix the issue then the system will publish its findings to the world, complete with code that can be used to exploit it.

Microsoft quickly responded by saying, “for a would-be attacker to potentially exploit a system, they would need to have valid logon credentials and be able to log on locally to a targeted machine” Google said they had contacted Microsoft about the issue and urged them to fix the issue within 90 days.

Some observers observing the issue with Windows 8.1 believes that Google’s action was “incredibly irresponsible and I’d have expected a greater degree of care and maturity from a company like Google”

while another observer disagree by saying “Maybe there is someone already exploiting this vulnerability even before this was posted. I think it is a good thing to make it public to generate some pressure to the developer/manufacturer to fix its products. Keeping this kind of vulnerabilities private only helps the people that are exploiting it in secret. ”

See all comments on this Microsoft Windows 8.1 vulnerability at Google

See full statements by both Google and Microsoft below as reported by Engadget.
Microsoft:
_______________________________________________________________________________________________________________________

“We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.”

Google:
_____________________________________________________________________________________________________________________________

“There was some confusion yesterday about whether we had contacted Msft about this issue, so we posted an update (below).

Firstly, just to make this absolutely clear, the ahcache.sys/NtApphelpCacheControl issue was reported to Microsoft on September 30. You can see this in the “Reported” label on the left hand panel of this bug. This initial report also included the 90-day disclosure deadline statement that you can see above, which in this instance has passed.

Project Zero’s disclosure deadline policy has been in place since the formation of our team earlier in 2014. It’s the result of many years of careful consideration and industry-wide discussions about vulnerability remediation. Security researchers have been using roughly the same disclosure principles for the past 13 years (since the introduction of “Responsible Disclosure” in 2001), and we think that our disclosure principles need to evolve with the changing infosec ecosystem. In other words, as threats change, so should our disclosure policy.

On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.

With that said, we’re going to be monitoring the affects of this policy very closely – we want our decisions here to be data driven, and we’re constantly seeking improvements that will benefit user security. We’re happy to say that initial results have shown that the majority of the bugs that we have reported under the disclosure deadline get fixed under deadline, which is a testament to the hard work of the vendors.”